WebISO: the killer kerberos app?

Russ Allbery rra at stanford.edu
Mon Mar 15 16:55:52 EST 2004


Damon Rand <damon-mail at cybermagic.co.nz> writes:

> Is the clientside solution fundamentally flawed in the extranet sense?
> I was under the impression that the client workstation had to be logged
> into the same domain as the server.. ie. If a web user was logged into
> the ACME domain from their ACME workstation then they can't come to my
> site and use SPNEGO (or SASL?) protocol to login into my website
> authenticated against the BAMBI domain?

In theory, it's very much possible to obtain Kerberos tickets from
multiple realms at the same time and manage them appropriately.  In
practice, very little software actually does this properly and given the
presence of kiosk machines and the like, solutions that require any action
external to the web browser are of dubious usefulness, at least currently.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>


More information about the Kerberos mailing list